Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBME9B4C6EFB98B5FC48FF21C6DA9CD822C1CE7A00D192C93735649E883105D35A1
HistoryApr 23, 2024 - 6:12 p.m.

Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

2024-04-2318:12:55
www.ibm.com
12
ibm
instana
observability
vulnerabilities
agent
container
image
build
cveid
golang
jgit
moby
security
remediation
update
onprem

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.3%

JSON

Summary

Multiple vulnerabilities were remediated in IBM Observability with Instana within Instana Agent container image build 271

Vulnerability Details

CVEID:CVE-2023-45285
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw when using go get to fetch a module with the โ€œ.gitโ€ suffix. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information from the insecure โ€œgit://โ€ protocol, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273323 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-4759
**DESCRIPTION:**Eclipse JGit could allow a remote attacker to execute arbitrary code on the system, caused by improper handling of case insensitive filesystems. By using a specially crafted symlink, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265872 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2024-24557
**DESCRIPTION:**Moby could provide weaker than expected security, caused by improper cache validation in the classic builder cache system. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to conduct a cache poisoning attack.
CVSS Base score: 6.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282700 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Observability with Instana (OnPrem) Build 265 to 270

Remediation/Fixes

IBM strongly recommends addressing these vulnerabilities now by updating IBM Observability with Instana to the latest release as described here:

<https://www.ibm.com/docs/en/instana-observability/current&gt;

Workarounds and Mitigations

None

Related

cvelist 3
redos 2
osv 9
cgr 2
cbl_mariner 3
cve 3
debiancve 3
ubuntucve 3
veracode 3
prion 3
redhatcve 3
alpinelinux 1
github 2
wolfi 2
ibm 17
atlassian 1
openvas 15
nessus 27
oraclelinux 2
redhat 12
fedora 1
almalinux 2
mageia 1
photon 3
ubuntu 1
cvelist
cvelist
CVE-2024-24557 Moby classic builder cache poisoning
2024-02-01 16:26:29
CVE-2023-45285 Command 'go get' may unexpectedly fallback to insecure git in cmd/go
2023-12-06 16:27:55
CVE-2023-4759 Improper handling of case insensitive filesystems in Eclipse JGit allows arbitrary file write
2023-09-12 09:12:10
redos
redos
ROS-20240410-17
2024-04-10 00:00:00
ROS-20240402-17
2024-04-02 00:00:00
osv
osv
Classic builder cache poisoning
2024-02-01 20:51:19
CVE-2024-24557
2024-02-01 17:15:10
BIT-golang-2023-45285
2024-03-06 10:52:37
cgr
cgr
CVE-2024-24557 vulnerabilities
2024-05-19 03:07:16
CVE-2023-45285 vulnerabilities
2024-05-19 03:07:16
cbl_mariner
cbl_mariner
CVE-2024-24557 affecting package moby-engine for versions less than 25.0.3-1
2024-03-19 17:21:46
CVE-2024-24557 affecting package moby-engine for versions less than 20.10.27-3
2024-04-30 01:31:53
CVE-2023-45285 affecting package golang for versions less than 1.21.6-1
2024-05-28 09:07:34
cve
cve
CVE-2024-24557
2024-02-01 17:15:10
CVE-2023-45285
2023-12-06 17:15:07
CVE-2023-4759
2023-09-12 10:15:29
debiancve
debiancve
CVE-2024-24557
2024-02-01 17:15:10
CVE-2023-45285
2023-12-06 17:15:07
CVE-2023-4759
2023-09-12 10:15:29
ubuntucve
ubuntucve
CVE-2024-24557
2024-02-01 00:00:00
CVE-2023-45285
2023-12-06 00:00:00
CVE-2023-4759
2023-09-12 00:00:00
veracode
veracode
Cache Poisoning
2024-02-02 10:52:54
Insecure Protocol Handling
2023-12-12 06:42:34
Arbitrary File Overwrite
2023-09-21 11:12:57
prion
prion
Design/Logic Flaw
2024-02-01 17:15:00
Code injection
2023-12-06 17:15:00
Design/Logic Flaw
2023-09-12 10:15:00
redhatcve
redhatcve
CVE-2024-24557
2024-02-02 01:11:19
CVE-2023-45285
2023-12-07 12:35:36
CVE-2023-4759
2023-09-12 19:54:09
alpinelinux
alpinelinux
CVE-2024-24557
2024-02-01 17:15:10
github
github
Classic builder cache poisoning
2024-02-01 20:51:19
Arbitrary File Overwrite in Eclipse JGit
2023-09-18 15:30:18
wolfi
wolfi
CVE-2024-24557 vulnerabilities
2024-05-28 15:40:08
CVE-2023-45285 vulnerabilities
2024-05-28 15:40:08
ibm
ibm
Security Bulletin: Vulnerability in jgit affect Cloud Pak System [CVE-2023-4759]
2024-01-03 18:17:39
Security Bulletin: IBM App Connect Enterprise Toolkit and IBM Integration Bus Toolkit are vulnerable to a remote attacker due to Eclipse JGit (CVE-2023-4759)
2024-01-08 15:57:39
Security Bulletin: IBM Decision Optimization for Cloud Pak for Data is vulnerable to a remote attacker (CVE-2023-4759)
2024-01-09 15:15:31
atlassian
atlassian
RCE (Remote Code Execution) org.eclipse.jgit:org.eclipse.jgit Dependency in Bamboo Data Center and Server
2024-05-13 10:10:37
openvas
openvas
openSUSE: Security Advisory for eclipse (SUSE-SU-2024:0057-1)
2024-03-04 00:00:00
SUSE: Security Advisory (SUSE-SU-2024:0057-1)
2024-01-09 00:00:00
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2024-1313)
2024-03-13 00:00:00
nessus
nessus
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : eclipse-jgit, jsch (SUSE-SU-2024:0057-1)
2024-01-09 00:00:00
Oracle Linux 8 : go-toolset:ol8 (ELSA-2024-0887)
2024-02-23 00:00:00
AlmaLinux 8 : go-toolset:rhel8 (ALSA-2024:0887)
2024-02-22 00:00:00
oraclelinux
oraclelinux
go-toolset:ol8 security update
2024-02-22 00:00:00
golang security update
2024-03-06 00:00:00
redhat
redhat
(RHSA-2024:1131) Moderate: golang security update
2024-03-05 15:32:14
(RHSA-2024:1041) Moderate: go-toolset-1.19-golang security update
2024-02-29 08:58:39
(RHSA-2024:0887) Moderate: go-toolset:rhel8 security update
2024-02-20 11:21:14
fedora
fedora
[SECURITY] Fedora 39 Update: golang-1.21.6-1.fc39
2024-01-20 03:24:19
almalinux
almalinux
Moderate: golang security update
2024-03-05 00:00:00
Moderate: go-toolset:rhel8 security update
2024-02-20 00:00:00
mageia
mageia
Updated golang packages fix security vulnerabilities
2023-12-18 01:40:49
photon
photon
Important Photon OS Security Update - PHSA-2023-4.0-0531
2023-12-22 00:00:00
Important Photon OS Security Update - PHSA-2023-5.0-0176
2023-12-21 00:00:00
Important Photon OS Security Update - PHSA-2023-3.0-0702
2023-12-21 00:00:00
ubuntu
ubuntu
Go vulnerabilities
2024-01-11 00:00:00

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.3%

JSON
Related for E9B4C6EFB98B5FC48FF21C6DA9CD822C1CE7A00D192C93735649E883105D35A1
cvelist3redos2osv9cgr2cbl_mariner3cve3debiancve3ubuntucve3veracode3prion3redhatcve3alpinelinux1github2wolfi2ibm17atlassian1openvas15nessus27oraclelinux2redhat12fedora1almalinux2mageia1photon3ubuntu1